Articles

Fallen Empires

A Look At The Most Notorious Ransomware Gangs Of The Recent Past

In recent years, ransomware has emerged as one of the most pernicious cyber threats facing individuals and organizations worldwide. These malicious programs encrypt victims' files and demand payment in exchange for the decryption key, resulting in millions of dollars in losses. But as the ransomware epidemic has spread, so too have efforts to combat it.

The following are some of the most notorious ransomware groups of the recent past. Some of these groups have been taken down by law enforcement, with their members arrested and charged. Others have gone into hiding or retired, driven underground by fear of capture.

---

• #1 REvil: A Rare Look into the Inner Workings of a Cybercrime Syndicate
• #2 Conti: The Ransomware Group That Declared War on a Nation
• #3 Maze: The Notorious Ransomware Gang That Pioneered the Double-Extortion Model
• #4 Grief: An Evil Corp's Ransomware Operation
• #5 PYSA: The Rising Ransomware Group That Suddenly Became Quiet
• #6 Midas: The Ransomware Made In Venezuela That Turned Victim's Files into Digital Gold
• #7 Nephilim: The Ransomware Group That Attacked Giant Corporations
• #8 Pay2Key: A New Front in a Cyberwar Between Two Nations
• #9 CryLock, LOCKDATA and The Rise of Stolen Data Auctions
• #10 SunCrypt: The Group That Went Against Ransomware Development Trends

---

#1 REvil: A Rare Look into the Inner Workings of a Cybercrime Syndicate

The takedown of the REvil ransomware gang, otherwise known as Sodinokibi, in 2020 offered a rare, behind-the-scenes look at the inner workings of a cybercrime syndicate. For years, the group had been holding individuals and businesses hostage by encrypting their data and demanding hefty ransoms to restore access. But the arrest of the group's ringleader and several key members in a global operation, gave investigators an unparalleled glimpse into the group's modus operandi. The operation exposed the group's infrastructure, recruitment of affiliates, and its use of cryptocurrency to launder ransom payments. In total, REvil had around 40 active affiliates.

On January 15, 2022, the Russian Federal Security Service dealt a major blow to the notorious REvil ransomware group, arresting 14 suspected members at the request of the United States. Along with the suspects, authorities seized a staggering $6 million in cash and cryptocurrency, 20 high-end cars, and computers. But the real haul from the operation may be even bigger.

• A 2021 IBM paper estimated that REvil had stolen 21.6 TB of data from its victims in 2020 alone[3]. However, Syhunt's analysis suggests the number may be significantly higher, with a total of 44.1 TB of stolen data from REvil's attacks in 2020 and 2021 [4].
• The group created a website called "Happy Blog" where they would post screenshots of the data they had stolen and threaten to release it if the victim didn't pay the ransom.
• One of the group's most high-profile attacks was against the travel technology company, Travelex, in January 2020 [5]. The attack resulted in the company's systems being locked and a ransom demand of $6 million being made. Despite initially refusing to pay the ransom, Travelex eventually agreed to pay $2.3 million to the group in order to regain access to its systems.
• Known for using the Ransomware-as-a-Service (RaaS) model, where it supplied malware and decryption services to other cybercriminals [6]
• The financial toll of REvil's nefarious activities is staggering. In November 2021, the US Department of Justice seized $6.1 million in funds tied to alleged ransom payments made to the group. REvil's profits are believed to be in the hundreds of millions. The group claimed to have made over $100 million in 2020 alone, with researchers putting the number closer to $123 million.
• The group exploited vulnerabilities in remote services such as Oracle WebLogic (CVE-2019-2725).
• It purposely excludes countries in the Commonwealth of Independent States (CIS) as its targets.

#2 Conti: The Ransomware Group That Declared War on a Nation

Wizard Spider, the Russia-linked cybercrime group behind high-profile malware like Conti, Ryuk, and Trickbot, has evolved into a multimillion-dollar organization with a corporate-like operating model over the past six years. Wizard Spider's malware, particularly Conti, has caught the attention of government officials worldwide. In 2021, Conti ransomware was used in a near-catastrophic attack on Ireland's healthcare system and in 2022 wreaked havoc on Costa Rican government agencies. Costa Rican President Rodrigo Chaves has declared that the country was at war with those behind the Conti ransomware, which successfully infiltrated 27 of its government institutions, including municipalities and state-run utilities[9].

Conti employed a multi-pronged approach to infiltrate its victims' networks, leveraging a variety of methods such as spearphishing campaigns, Remote Desktop Protocol (RDP) exploitation, and even purchasing access from so-called "network access brokers." This diverse and adaptive approach makes it challenging for organizations to defend against Conti's attacks.

Spearphishing campaigns, for example, involve the use of tailored emails and social engineering tactics to trick victims into divulging sensitive information or downloading malware. RDP exploitation, on the other hand, involves exploiting vulnerabilities in Remote Desktop Protocol software to gain unauthorized access to a victim's network. The revelation of Conti's use of "network access brokers" is particularly noteworthy as it highlights the group's willingness to buy access to networks, rather than solely relying on their own abilities to gain access through hacking. This shows that the group is well-funded and willing to pay for access to potential victims.

In August 2021, a trove of training documents leaked by a former affiliate exposed the inner workings of the group's attack model and structure. It serves as a reminder that even the most sophisticated criminal organizations can be vulnerable to insider threats[10].

Later in February 2022, after the group sided with Russia on the invasion of Ukraine, an Ukrainian researcher using the Twitter handle @ContiLeaks shared a trove of information, including internal conversations, the source code for the Conti ransomware[11], and administrative panels, which exposed the inner workings of the group [12]. After that, the group retired its name, silently creating spinoffs of the group [13].

• Developed using C++ programming language on a Visual Studio 2015 with Windows XP platform toolset (likely from an encrypted virtual machine).
• Conti had its own implementation of AES-256 encryption, utilizing up to 32 individual logical threads for lightning-fast encryption, leaving most ransomware in its wake.
• The Conti ransomware group was led by a shadowy figure known only as "Stern" or "Demon," who acted as the group's CEO. A second key member, "Mango," served as a general manager, frequently communicating with Stern. Mango's message to Stern revealed the group's main team at 62 members, with fluctuating numbers reaching as high as 100.
• According to an analysis by CheckPoint researchers, Conti's operational structure closely resembled a traditional hierarchical organization, featuring team leaders who answered to higher-ups in management [14] [15].
• Ordinary programmers working for Conti, as revealed by Wired UK, earned around $1500 to $2000 per month, and members negotiating ransom payments would received a share of the profits [16].
• The group exploited over 30 vulnerabilities [17].

#3 Maze: The Notorious Ransomware Gang That Pioneered the Double-Extortion Model

The Maze group, which made its debut in May 2019, quickly gained attention for its double-extortion model [20]. Instead of simply encrypting a victim's files and holding them for ransom, Maze added an extra layer of extortion by also exfiltrating the victim's data and threatening to release it publicly unless the ransom was paid. This double-extortion model proved to be highly effective, and Maze quickly became one of the most active and successful ransomware groups in operation. A maze is a network of paths and hedges designed as a puzzle through which one has to find a way, also known as a labyrinth.

In November 2020, the group announced that it was shutting down without giving a reason for its decision [21]. It is likely that increased law enforcement pressure and the growing use of ransomware protection software by companies made it increasingly difficult for the group to operate.

Maze may be gone, but its evil legacy lives on. The group's double-extortion model has been adopted by other ransomware gangs, and the threat of ransomware attacks continues to be a major concern for businesses and individuals alike. The group's shutting down should be a reminder for all companies to take proactive measures to protect themselves from these types of attacks.

• The Maze ransomware is believed to be a variant of ChaCha ransomware.
• The ransomware used two algorithms to encrypt the files, ChaCha20 and RSA.
• Maze did not attack any system if the language set on the system was Russian.
• The group claimed a number of high-profile victims, including Cognizant, Xerox, LG, and Canon.
• The group utilized exploits against Pulse VPN, as well as the Windows VBScript Engine Remote Code Execution Vulnerability to penetrate victim networks.

Link to the Egregor and Sekhmet Ransomware Groups

As the notorious Maze ransomware operation was shutting down in September 2020, a new player emerged on the cybercrime scene: Egregor. The group adopted the same double-extortion technique as its predecessor and quickly made a name for itself by claiming victims such as Ubisoft, Barnes & Noble, Kmart, and even Vancouver's subway system. However, Egregor's reign was short-lived. In February 2021, several members of the group were arrested in Ukraine, effectively shutting down the operation. The group caused a significant amount of damage in its brief time in operation.

Sekhmet was another ransomware group that emerged in March 2020, before Egregor. According to researchers, Sekhmet shared a number of similarities related to its tactics, obfuscation techniques, API calls, and ransom notes with both Maze and Egregor. According to an analysis by CybleInc, the Egregor ransomware was compiled by Microsoft Visual C++ 8.0.

In February 2021, Maze, Egregor and Sekhmet ransomware decryption keys published by someone who claimed to be the developer for all three operations [22].

#4 Grief: An Evil Corp's Ransomware Operation

In the fast-paced world of cybercrime, groups can emerge, evolve and rebrand quickly. According to various reports, Grief was believed to be a rebrand of the DoppelPaymer ransomware gang, which stopped its operations in May 2021. The group behind this malware was believed to have connections to another ransomware known as BitPaymer, which first emerged in 2017 as part of the Dridex malware family and operated by the Indrik Spider group[25]. This suspicion is based on similarities found in their code, ransom notes, and payment portals. Grief (AKA Grief Corp) is also believed by the US Treasury Department to be a rebrand of the Russian cybercriminal organization Evil Corp[26].

• Over half the companies listed on Grief’s dark web leak site were based in the U.K. and Europe. According to Syhunt researchers, a total of 79 victim organizations were listed in the leak site.
• The group also operated another underground leak site, formerly known as DoppleLeaks, where they prominently posted the names of victim companies, as well as company details and sample data stolen from the organizations. According to Syhunt researchers, a total of 198 victim organizations were listed in the leak site.
• The group was known for demanding large sums of money, ranging from US$25,000 to US$1.2 million USD, for the decryption of stolen files.
• The group's ransomware used the RSA-2048 and AES-256 encryption algorithms.
• DoppelPaymer was known to exploit the CVE-2019-19781 (Citrix ADC) vulnerability in its campaigns.

A Rebrand of Evil Corp

According to the US government, Evil Corp is believed to have stolen more than $100 million USD from companies across 40 countries, making them one of the most successful and dangerous cybercrime groups in operation today. According to researchers, Evil Corp has recently started using Lockbit ransomware rather than its own brand of malicious software. This move was seen as an attempt to hide evidence of their involvement and evade detection from law enforcement.

Evil Corp was also believed to be behind the PayloadBin ransomware and leak site [27] [28], which according to Syhunt researchers listed a total of 7 victims.

Evil Corp is believed to be named after a fictional multinational corporation from the hacker-themed TV show Mr. Robot.

#5 PYSA: The Rising Ransomware Group That Suddenly Became Quiet

PYSA is a variant of the Mespinoza ransomware and a group that surfaced as the US government was shutting down the first ransomware gangs. This strain of malware first came to prominence in October 2019, when it infected large corporate networks and caused widespread disruption.

The name PYSA was an acronym for "Protect your system, amigo", a slogan that could be found in the ransom note that was left by the ransomware on compromised systems.

In March 2021, alerts issued by the FBI, NHS, and CERTFR, warned that, similar to the Maze ransomware, the Pysa ransomware was targeting local government agencies, educational institutions, private companies, and the healthcare sector [31].

In September 2021, researchers at Lacework alerted that the Pysa ransomware gang created a Linux version of its malware designed to target Linux hosts with ChaChi, a backdoor likely developed by the group [32].

According to Syhunt researchers, the PYSA group listed 249 victims on its leak site by the end of 2021 when it suddenly became quiet.

• PYSA was implemented in C++ and the ChaChi in Go
• It used the open-source CryptoPP C++ library to encrypt data, which is a combination of the Advanced Encryption Standard-Cipher Block Chaining (AES-CBC) and the Rivest, Shamir, Adleman (RSA) encryption algorithms.
• The files encrypted by PYSA had the .pysa filename extension.
• The group typically gained initial access to target systems through phishing email messages or by compromising credentials, such as brute-forcing Active Directory domain credentials or Remote Desktop Protocol (RDP) credentials.

#6 Midas: The Ransomware Made In Venezuela That Turned Victim's Files into Digital Gold

The Midas ransomware was know to be a variant of the Thanos ransomware family, supposedly developed by a Venezuelan[35] and later sold to at least 38 clients, including at least one "Iranian state-sponsored hacking group according to the FBI[36].

First identified in 2020, Thanos quickly established itself as a major player in the ransomware game. But just as quickly as it appeared, the group behind Thanos seemed to disappear. However, as it turns out, this was far from the end of the story. In the months that followed, the source code for the Thanos ransomware was leaked online, leading to the emergence of several new strains: Prometheus, Spook, Haron, and the latest addition to the family: Midas. Recently, the group appears to have rebranded itself as Axxes [37].

Like many of its contemporaries, Midas utilizes the tactic of double extortion, encrypting victims' data and demanding a ransom payment while also threatening to leak the stolen information on a dedicated data leak site.

• Midas was written in C#, running on the .NET framework, and obfuscated using SmartAssembly.
• The encryption process utilized a randomized key and the AES algorithm in CBC mode. The AES key itself was then encrypted by an RSA public key, adding an additional layer of security to the encryption process.
• Upon infecting a system, it would reboot the machine in safeboot mode, allowing it to bypass traditional antivirus defenses.
• The ransomware included a builder tool within its code. This allowed the group to easily create new variants of Midas by customizing existing samples. This means that even if a specific version of the malware was discovered and blocked, it was only a matter of time before a new, undetectable strain would appear.

Thanos Strains

• The Prometheus strain has been used to target a wide range of victims across Brazil, Mexico, Peru and Chile, including government institutions, customs agencies, financial institutions, and private companies. According to Syhunt researchers, the Prometheus leak site listed a total of 36 victim organizations.
• The Spook strain, on the other hand, and leak site listed a total of 13 organizations according to Syhunt.

#7 Nephilim: The Ransomware Group That Attacked Giant Corporations

First observed in late 2019, with actual attacks being seen in March 2020, Nephilim was a notable ransomware group that exposed victims through its darkweb site called Corporate Leaks [40]. It is believed to be an evolved version of Nemty 2.5, a 2019 ransomware code written in the Delphi programming language.

• The group placed strong emphasis on Remote Desktop Protocols, brute-forcing RDP setups, and using various known vulnerabilities to gain access to the victim's network, such as the Citrix vulnerabilities (CVE-2019-19781 and CVE-2019-11634) and an old vulnerability in Windows Component Object Model (COM) software (CVE-2017-0213).
• Most of the group's victims were in the US, followed by Europe, Asia, and Oceania.
• Nefilim ransomware uses a combination of AES-128 and RSA-2048 algorithms to encrypt the victims’ files. First, the files are encrypted using AES-128 encryption and AES encryption key is further encrypted using the RSA-2048 public key [41].

Name Origin

The Nephilim, first mentioned in the Hebrew Bible in the Book of Genesis, are described as a race of giant, powerful beings who were the offspring of fallen angels and human women. They were seen as a threat to the human race and were ultimately wiped out in the Great Flood.

The ransomware group may have adopted the name to align themselves with the powerful and intimidating image of these beings from the Bible. Additionally, the Nephilim could represent the giant corporations that the ransomware group seeks to target.

The group is known to have attacked organizations with over $1 billion in revenue, as well as smaller companies[42] [43]. According to Syhunt research, 40 victims were listed by the group in its leak site.

#8 Pay2Key: A New Front in a Cyberwar Between Two Nations

In the 2020 cyber warfare between Israel and Iran, the Pay2Key ransomware group emerged. Their operations have caused significant damage to companies caught in the crossfire.

The two countries have been locked in a cyber battle for years, with both nations using sophisticated tools and tactics to infiltrate and disrupt each other's networks. The cyber operations between Israel and Iran are wide-ranging and have included intelligence gathering, sabotage and espionage. In 2010, Stuxnet, a highly advanced worm, supposedly Israeli-American, targeted several Iranian facilities, including the nuclear plant in Natanz, in a cyber-sabotage campaign that was unprecedented in its scale and sophistication. Later, in 2020, Iran has been accused of deploying the Pay2Key ransomware against its rival.

The ongoing cyber confrontation between Israel and Iran is a reminder that cyber warfare is not just a theoretical concept, but a real and ongoing threat. It also illustrates how cyber attacks can be used as a tool of statecraft and how cybercrime groups can become proxies for nation-state actors.

• Pay2Key was believed to be operated by a group of individuals based in Iran[46].
• The group carried targeted attacks against Israeli and Brazilian companies.
• Written in C++, the ransomware used a solid encryption scheme based on the AES and RSA algorithms.
• Typically, they demanded a ransom payment in Bitcoin, with amounts ranging between seven (7) and nine (9) Bitcoin. Today, one (1) bitcoin is worth around $21,218.35 USD.
• The group was known for the use of various open-source and proprietary offensive tools. They were spotted focusing on enterprise VPNs for intrusion and specifically targeting F5 Networks' BIG-IP application delivery controller (ADC) during their operations.
• Vulnerabilities targeted by the group included CVE-2019-11510 (Pulse Secure), CVE-2018-13379 (Fortinet FortiOS), CVE-2018-1579 (Palo Alto Networks VPN), CVE-2019-19781 (Citrix NetScaler) and CVE-2020-5902 (F5 BIG-IP). Microsoft Exchange Server and RDP accounts were also targeted.

#9 CryLock, LOCKDATA and The Rise of Stolen Data Auctions

The dark web is known for its illicit offerings, from illegal drugs to stolen credit card information. But in 2020 a new trend started emerging among ransomware groups: the auctioning of stolen data, with the REvil ransomware group launching the first auction site to sell stolen data from its victims. [49].

The LOCKDATA Auction website was one of the new players in this space, offering various auctions of stolen data from victims worldwide. According to researchers, it was unclear if the site was a real auction site or just a menacing mockup, created to coerce victims into paying the ransom.

The LOCKDATA leak auction site was presumed to be connected to the CryLock ransomware team or to be a user of CryLock RaaS. This Ransomware-as-a-Service (RaaS) model allowed "partners" or "affiliates" to acquire the malware and deploy it in victim environments. CryLock made its first appearance in 2014 [50], under the name Crykal. However, a take-down of its infrastructure in 2018 resulted in a decryptor being published [51]. In 2020, Crykal rebranded itself as CryLock and resurfaced as a cyber threat https://twitter.com/LawrenceAbrams/status/1254471019047399424?s=20.

• The LOCKDATA auctions had a starting price, ranging from $50,000 to $500,000, with a minimum deposit of $0 to $50,000 and a final price that could reach up to $1,500,000. The descriptions of the auctioned victims and data sets were often comprehensive, with data set sizes ranging from 50 GB to 2 TB.
• The CryLock ransomware, employed by group behind the LOCKDATA Auction site, was known to be a variant of the Cryakl ransomware.
• It would check whether or not the victim was located in Russia and other CIS states before encrypting the victim's files.
• Another ransomware existed under the name LockData[52], not appearing to have any connection with the LOCKDATA Auction website or the ransomware named CryLock.

#10 SunCrypt: The Group That Went Against Ransomware Development Trends

First spotted in October 2019, SunCrypt was one of the first groups to apply triple extortion tactics. This RaaS group first burst onto the scene with a Windows-based ransomware tool written in Go. But it was the release of their C/C++ version in mid-2020 that truly elevated them to new heights. The move from a simpler, efficient, and less detectable language like Go to C/C++ was something that puzzled many researchers.

Researchers also believed that the SunCrypt ransomware may have evolved from the QNAPCrypt ransomware (also known as eCh0raix [55].

Despite being operated by different threat actors, forensic analysis by researchers at Intezer has revealed striking similarities in both code reuse and techniques, pointing to a possible link between the two. "Both families share identical code logic for the file encryption, which we can conclude with high certainty has been compiled from the same source code.", said the company in its blog.

The technical connections suggest that the same author may be behind both of these tools.

Specifically, QNAPCrypt would avoid encrypting files on machines that it detected to be located in Belarus, Russia, or Ukraine. Similarly, SunCrypt also avoided these countries, but went a step further by also excluding Kyrgyzstan and Syria. These targeted exclusions raised intriguing questions about the motivations behind these attacks and the possible connections of the malware creators to these specific nations.

• The group often used the PowerShell loader for delivery and deployment.
• SunCrypt used multithreading with I/O completion ports to achieve faster encryption, a technique commonly used by today's top ransomware families.
• SunCrypt also employed a unique combination of the Curve25519 and ChaCha20 algorithms during the encryption routine.

Other Inactive Ransomware Groups

• Pandora: a ransomware developed with Visual C++ [56] believed to be a re-brand of the Rook ransomware[57]. According to Syhunt research, the group behind it exposed 5 victim organizations.
• Onyx: a ransomware believed to be based on Chaos ransomware [58]. According to Syhunt research, the group behind it exposed 7 victim organizations.
• Babuk: a retired ransomware group internally known as Babyk and formerly Vasa Locker. [59]. According to Syhunt research, the group exposed 5 victim organizations in its leak site.
• Arvin Club: a ransomware group that metamorphosed to a group of activists against the Iranian Islamic regime [60]. According to Syhunt research, the group exposed 7 victim organizations in its leak site.

---

This article was published by The Hunter on January 25, 2023. It has been written with contributions from the Syhunt Icy team.